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DETAILED ACTION 

1. Claims 1-49 have been examined. 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

2. Claims 1-49 are rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. Computer software must be embodied on 
computer readable media. Note, that claims 1-7 do not preclude the device to be 
implemented in software, especially in light of the specification stating that 
"...preferred embodiment includes steps executed by software modules..." [068]. 
Furthermore, claims 10-12 and 14-15 are essentially (the most) manipulation steps 
with no tangible and usable outcome. As addressing the rejection, note that claims 
1 1-12, 14 and 19 use positive recitations that speculates that a particular method 
step could be, and not actually is, performed. Similarly claims 1-2, 5-9 provide no 
useful result. Compare it with claim 3, for example, which discloses conveying 
classified packets through a tunnel. 

3. Claims 3-4, 23, 26-29, 33, 36, 43 and 46 are rejected by virtue of their dependence. 

Appropriate correction is required. 

Claim Rejections - 35 USC §112 



The following is a quotation of the second paragraph of 35 U.S.C. 112: 
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The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

4. Claims 1-9 are rejected under 35 U.S.C. 112, second paragraph, as failing to set 
forth the subject matter which applicant(s) regard as their invention. The term "a 
tunnel classification stage" recited in the claim language is not understood. The 
specification does not offer any clear definition of the term and the closest reference, 
points to Fig. 4 (paragraph [0016]: "block diagram illustrating a tunnel classification 
stage"). Fig. 4, discloses Ingress-Side Tunnel Classification Stage 400, which 
illustrates a sequence of events: Incoming packet Stream 410 processed by a 
Tunneled Security Group Device 430 to produces the outcome of Outgoing Packet 
Stream 420. However, the claim language (see claim 2 and 5, for example) appears 
to refer to the tunnel classification stage as a component of the network device 
recited in preamble of claim 1 (e.g. "...said tunnel classification stage comprises: a 
packet processing section..."). Since the specification do not clearly define the term 
"a tunnel classification stage", and in fact appears to contradict the claim language 
(Fig. 4 rather than any particular object in the figure, is referred to as illustrating a 
tunnel classification stage), for purpose of the further examination the term is treated 
as best understood. 

As addressing the "tunnel classification stage", note that claim 1 is an apparatus 
claim. If the "tunnel classification stage" was to be interpreted as Fig. 4 suggests, 
note that it would not be clear whether applicant intended claim 1 (and dependent 
claims) to be an apparatus claim or method daim. 
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5. Claim 6 is not understood. It is not clear whether the limitation implies that the 
network device is a router or whether the claim is incomplete, e.g. a network device 
is a set of computer devices, including a router. 

6. The phrase: "... forward said packet through a tunnel on which said packet is to be 
conveyed based on said SGI", recited in claim 3, is not understood. For purpose of 
the further examination the phrase is treated as "... is to be forwarded . 

7. Claim 30 is directed towards a XXX 

Claims 4 and 7-9 are rejected by virtue of their dependence. 
Appropriate correction is required. 

Claim Rejections - 35 USC § 102 

(a) the invention was known or used by others in this country, or patented or described in a printed 
publication in this or a foreign country, before the invention thereof by the applicant for a patent. 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

8. Claims 1-18, 20-28, 30-38, 40-48 and 46-48 are rejected under 35 U.S.C. 102(a) as 
anticipated by or, in the alternative, under 35 U.S.C. 103(a) as obvious over 
Applicant Admitted Prior Art (AAPA). 

As per claims 1-2 and 5, AAPA teaches "network access technologies such as ... 
virtual private network (VPN) gateways and the like allow users access to a given 
protected network from a variety of access or entry points." [002] "Fig. 1 is a block 
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diagram illustrating a network 100 of the prior art and the components thereof, in 
which such authentication protocols are employed to authenticate users." [003] 
"These network paths, while they may traverse some or all of the same network 
devices (i.e., physical segments), the paths are conceptually separate (e.g., can be 
viewed as separate virtual paths), and are controlled separately using, for example, 
access control lists (ACLs)." [004] 

9. This reads on packet processing and classifying a packet. Also, this clearly 
indicates that there must be some parameters identifying particular entities initiating 
a packet, otherwise a particular packet received from the user could not be 
controlled (identified and classified to) against a corresponding ACL's entry. For 
example, note paragraph [004] disclosed by AAPA that teaches ACL using mapping 
of a user host address. Furthermore, paragraph [002] teaches that access can also 
be restricted based on the Group(s) to which a user belongs (which is consistent 
with various access control lists known in the art (e.g. Microsoft Windows)). This 
parameter used to identify and classify received pockets against ACL entries reads 
on a security group identifier (SGI). Note, that a network device facilitating 
discussed above functionalities, which essentially equate to packet filtering, must 
use a processor and utilized at least packet processing (able to receive packets) 
unit, SGI identification unit and classification unit. 

10. The limitations of claims 3 and 4 are implicit. ACL are to restrict traffic in order to 
forward only allowed packets to their destination. Also, packet headers comprise 
destination information (see TCP/IP for example). 
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1 1 .As per claims 6, although AAPA does not disclose that the device implementing the 
ACL (identifying and classifying packets) is a router, the examiner points out that a 
particular name of the device would not affect the functionality of the discussed 
operation of the device. Furthermore, a router disclosed in Fig. 1 is a device that 
directly connects the subnetwork comprising clients 112, 114 and 116 with other 
network using the ineternetwork and implementing ACL on devices directly attached 
to a external network are well known in the art (firewalls) and one would have been 
motivated to implement ACL at the entry point to a network in light of the benefits of 
this architecture as evidenced by their commercial success. 

12. As per claims 7-8, a module utilizing ACL reads on a lookup unit. The examiner 
points out that in order for the entries to be indexed against ACL they must be stored 
in a memory (e.g. RAM) of a device, and memory is accessed using memory 
address. Additionally, the examiner points out that modern computer devices 
frequently utilize virtual memory, which also would meet limitations of claim 8. 

13. Claims 10-14, 20-24, 30-34 and 40-44 are substantially equivalent to claims 1-8. 
Thus, claims 10-14 and 16 are similarly rejected. 

14. The limitations of claims 16-17, 26-27, 36-37 and 46-47 are implicit. As discussed 
above, the purpose of ACL is to forward only permitted packets, discussed above, 
based on SGI. Packets that are not forwarded will not reach any egress routers and 
thus will not be forwarded by egress routers toward the final destination, such as 
server 120 in Fig.1. 
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Additionally, using a second interpretation of the claimed limitations, the examiner 
points out that Ingress and Egress Router disclosed in Fig. 1 are devices connecting 
a particular network (subnetwork) with external networks (other subnetwork using 
Internetwork). Implementing ACL restricting bidirectional traffic (outgoing as well as 
incoming ) on devices connecting an internal network with external network devices 
(such as Routers in Fig. 1), is well known in the art of computer security (see 
firewalls), and it would have been obvious to one of ordinary skill in the art at the 
time of applicant's invention to determining by the external/receiving router (egress 
router) given the benefit of security. 
15. As per claims 9, 15, 18, 25, 28, 38b 45 and 48, AAPA does not explicitly disclose 
that ACL comprises ACL entries (ACEs) and that ACEs comprise a security group 
identifier field. However, ACLs are essentially databases that are search for 
particular entries, and because they are used, as discussed above, to process 
packets based on a security group identifier, an ordinary artisan would readily 
recognize that a field containing security group identifier must be present in the ACL. 
Furthermore, AAPA does not disclose that ACL comprise a tunnel identifier field. 
However, an IP address associated with the particular tunnel or a port assigned to 
the tunnel (e.g. VPN (e.g. 500 for ISAKMP/IKE, 1701 for L2TP or 1723 for PPTP) 
would read on a tunnel identifier field. Including a tunnel identifier fields (e.g. ports or 
IP addresses) is old and well known in the art of computer security (e.g. in firewalls), 
and using ACL with a tunnel identifier field would have been obvious to one of 
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ordinary skill in the art at the time of applicant's invention given the benefit of 
network traffic control. 

Conclusion 

Claim 29 is objected to as being dependent upon a rejected base claim, but 
would overcome the art of record if rewritten in independent form including all of the 
limitations of the base claim and any intervening claims. Although overcame prior art, 
claims 19, 39 and 49 are rejected under 35 U.S.C. 101. 

The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure: 

Boden (USPN 6643776), 
Ylonen (USPN 6438612), 
Rekhter (USPN 6526056), 
Hoke (USPN 6701437), 
Jason (USPN 7028332), 
Weiss (USPUB 20020144144), 
Chantrain (USPUB 20020002687), 
Mukherjee (USPUB 20040225895), 
Daude (USPUB 20040088542). 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Peter Poltorak whose telephone number is (571) 272- 
3840. The examiner can normally be reached Monday through Thursday from 9:00 



If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, KambizZand can be reached on (571) 272-3811. The fax phone number 
for the organization where this application or proceeding is assigned is (571) 273-8300. 
Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). 



a.m. to 4:00 p.m. and alternate Fridays from 9:00 a.m. to 3:30 p.m. 
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